Twitter: The new stage for hacker hijinks

Among the many Twitter pages found to be spreading a worm this morning was the Whitehouse.
Websense Labs

Generating a news frenzy usually reserved for Apple product launches, pranksters turned Twitter into wormville this morning. The fast-spreading exploits proved two things: Twitter is undoubtedly now a mainstream service, and it's joined the ranks of big-time tech companies as a target for hackers.

Security experts interviewed by CNET say the messaging service has done a fair job of protecting itself so far, but will have to be more careful with its coding if it wants to be trusted for news aggregation, integration on corporate sites, and as a useful international communication tool.

"They're just as much in the crosshairs as Microsoft, Adobe, and Facebook," said Beth Jones, a senior threat researcher at Sophos.

Twitter doesn't necessarily have more holes than other sites, but the ones it has seem to be targeted at a high frequency by hackers interested in experimenting with new attacks and testing how far and fast dubious software can spread over the popular social network.

For instance, Norwegian programmer Magnus Holm created a worm that exploited the latest cross-site scripting hole in Twitter and watched with amazement as it spread. Initially, he was disappointed with the impact of his worm. He tweeted, "Meh, this worm doesn't really scale. The users can just delete the tweet." An hour later, things had changed. He posted, "Holy s**t. I think this is exponential: 3381 more results since you started searching" followed by "This is scary."

"This keeps happening to Twitter because that's where the (prankster) mentality exists," said Sean Sullivan, security advisor for F-Secure's North American labs. "Twitter is a perfect outlet for that type of guy trying to show his chops."

The latest attacks seem to have started rather quietly, in the complex underworld of hacker forums and back-and-forth coder chatter. The earliest evidence that someone had come across the possibility of a mouseover exploit comes from a Japanese hacker, Masato Kinugawa, who tweeted this morning that he had discovered the problem on August 14 and alerted Twitter to it. Also last month, two Twitter employees referred to the mouseover code in a discussion on coding community site GitHub.

Kinugawa, under the impression that nothing had been done at Twitter to solve the problem he'd flagged, noticed that it was still an issue in the newly redesigned Twitter interface. Early this morning--the afternoon in Japan--he created a test account called "Rainbow Twtr" in which the same code flaw was used to create blocks of color in lieu of text tweets. That's when others began to notice, including Holm and @matsta, who also created a worm and has since had his account on Twitter suspended.

A blog post from Twitter security chief Bob Lord late this morning acknowledged the attacks and attempted to calm down hysterical users who weren't sure why their accounts were bizarrely tweeting long strings of HTML and JavaScript. "The vast majority of exploits related to this incident fell under the prank or promotional categories...we are not aware of any issues related to it that would cause harm to computers or their accounts. And, there is no need to change passwords because user account information was not compromised through this exploit," he wrote.

Twitter had discovered and patched the hole last month but a recent site update unrelated to new Twitter inadvertently resurfaced it," Lord said.

It couldn't have come at a worse time for Twitter, which last week overhauled its Web interface to offer more features, better access to multimedia content, and a slant toward news consumption rather than a single timeline of short messages.

The fact that Twitter is an open network, searchable on Google and other search engines, and accounts can be created by anyone, even aliases, makes it an easier platform to exploit than Facebook, Sullivan said. But its simplicity also makes it easier for Twitter to spot attacks, he said.

It will be interesting to see how Twitter's new redesign will affect its ability to spot and squash spam and malware attacks. For example, Twitter won't easily be able to track and police malicious links that are included in YouTube videos and Flickr images accessible via a new viewing pane, according to Sullivan.

The growth in users has been both a boon and a burden for the start-up. "I think they did a good job of responding to this swiftly, but they've had such explosive growth that they're perpetually playing catch up," said Jones of Sophos. "Catching up with infrastructure and catching up with security."

Twitter makes some basic policy mistakes too. For instance, Twitter should not allow Javascript in tweets, a technique used in the attacks earlier in the day, Jones said. "They need more quality assurance testing...This one was such an easy thing to avoid."

Twitter spokeswoman Carolyn Penner had this response: "We don't allow executable Javascript in tweets. The fact that someone found a loophole today contributed to the issue."

Twitter is designed for people to broadcast short bits of information to a large number of people, who then rebroadcast it, and so on, and so on--a perfect environment for spreading malware and spam. "Facebook and Google have cross-site scripting vulnerabilities, but the Twitter ones are more visible because they've been used virally," said Jeremiah Grossman, chief technology officer at WhiteHat Security.

The need to refresh its features and respond to competition is likely behind some of the problems. Like many Web 2.0 companies that are constantly updating their sites, Twitter does agile development where software is developed and modified in small iterations at a fast pace. It's easy to make mistakes when writing code that fast, Grossman said.

Security problems are exacerbated when they ripple off Twitter's site and onto sites of corporations, organizations, and others who integrate Twitter feeds directly onto their Web sites. Automated Twitter feeds have also hastened the spread of attacks. Web sites can have tweet streams, banners, and images from third parties, or Web widgets that store code from other companies. This is an increasing source of malware on Web sites that otherwise would be safe.

Grossman suggested that Twitter offer money to people who find and report holes to them, like bounty programs at Mozilla and Google. Asked to comment on the suggestion, Twitter spokeswoman Penner said: "We work closely with the security community and, with their help we're able to get to other flaws before they are exploited." She declined to comment further.

Meanwhile, help may be on the horizon from browser makers. Mozilla is adding a new content security policy feature to Firefox 4.0 that will help thwart cross-site scripting and other attacks. But Twitter and other sites have to implement software to work with the technology, according to Grossman. Basically, the browser won't execute code that has not been defined as acceptable by the Web site.

Grossman praised Twitter for fixing the cross-site scripting hole and shutting down the attacks quickly, but said that because of its high-profile status, it needs to do more. "They're doing their best," he said, "but their best is not quite good enough."